CVE-2026-55659

Impact

Several server-rendered Grist pages embedded user-controlled values into the page, and into inline scripts, without fully escaping them, allowing cross-site scripting. Two places were affected. On the main application page, a document's name or description, set by a document editor, is rendered into the page that other users load when they open the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page.

Injected script runs in the victim's Grist origin and can act through their authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access.

Patches

Fixed since version 1.7.15. Mitigation was to escape embedded values for their context, replace template markers literally without interpreting special replacement patterns, and reduce openerOrigin to a validated same-origin value.

Workarounds

Limit document edit access to trusted users, and be cautious opening documents from people you do not trust. Avoid following OAuth authorization links from untrusted parties while signed in to Grist.